Right to information

In application of the provisions of Article 11 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD) and Article 13 of the General Data Protection Regulation 2016/679 (GDPR), we describe how personal data is processed at Hostal Kronoguest.

– Definitions

It is understood by:

Personal data: any information about an identified or identifiable natural person (the data subject). An identifiable natural person is considered to be a person whose identity can be determined, directly or indirectly, by means of an identifier, such as a name, an identification number, location data, an online identifier, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Processing: any operation or set of operations carried out on personal data or on a set of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, limitation, erasure or destruction.
Profiling: any form of automated processing of personal data consisting of the use of this data to evaluate personal aspects of a natural person; especially, to analyze or predict aspects relating to professional performance, the economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of this person.
Pseudonymization: processing of personal data in such a way that it cannot be attributed to a data subject without the use of additional information, provided that such information is kept separate and subject to technical and organizational measures to ensure that personal information is not attributed to an identified or identifiable natural person.
File: a structured set of personal data accessible by specific criteria determined, whether centralized, decentralized or distributed in a functional or geographical manner.
Data controller: the natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the purposes of the processing.
Data processor: the natural or legal person, public authority, service or any other body which processes personal data on behalf of the controller.
Recipient: the person to whom personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry should not be considered as recipients.
Third party: a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons authorized to process personal data under the direct authority of the controller or the processor.
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject accepts, by means a statement or a clear affirmative action, the processing of personal data relating to him or her.
Supervisory authority: the independent public authority established by a member state, in accordance with Article 51 of the GDPR.
Cross-border processing:
· The processing of personal data carried out in the context of a single establishment of a controller or processor in the Union, but which affects or may substantially affect data subjects in more than one member state.

-Who decides on the use to be made of the data and the means to be used to process them?

The data controller is Kronotex Spain, S.L.

- VAT Number: B98390461
- Address: Barrio Castañares, s/n (09199) Burgos
- Phone: +34 947 484 900
- Email: privacy@kronospan.es.

-Who monitors compliance with all rules governing information processing at the hostel?

The data protection officer is CIPDI Information Processing SL, with address in Mataró (08302), Pablo Iglesias 63 1º 4ª, dpd@cipdi.com.

-What purpose will we use your data for, What is the legal basis for these data processing and how long will we keep them?

Purpose	Legal basis	Storage
Storage	Contractual relationship	5 years.
Sending of commercial information	Consent and legal authorization (art. 21.2 of the LSSI)	Until consent is revoked or rights are exercised.
Labor management	Contractual relationship and legal authorization	4 years
CVs	Contractual relationship and consent	1 year
Video surveillance	Legitimate interest. Maintenance of security within the hostel	30 days

-Do we carry out any image processing?

With the exception of images that may be captured by security cameras, no.

-Who can access and know the contents of your data?

To comply with the above purposes, personal data may be accessed by providers that provide services to the hostel. Their access will be limited to the data that is necessary to perform the functions entrusted to them by the data controller. With all entities and recipients, confidentiality agreements and/or specific agreements have been signed governing access to information, security measures and the use that can be made of the data. You can obtain more information by consulting the Data Protection Officer.

-Are there any cross-border data processing?

The data controller does not host data outside the European Union.

-What rights do data subjects and data owners have?

Right of access. Regulated in Article 15 of the GDPR 2016/679 of April 27 2016. It involves asking the data controller to obtain free of charge all the information it has about their personal data and communications that have been made, or that are planned.
Right to rectification. Regulated in Article 16 of the GDPR. It is asking the data controller to change the content of the information about the individual and their data, following the instructions of the information owner.
Right to erasure. Regulated in Article 17 of the GDPR 2016/679. It consists of requesting the data controller to delete any information about the individual from the data owner. Erasure involves blocking all data and keeping it available to public authorities for the prescribed period for legal action to be taken.
Right to restrict processing. Regulated in Article 18 of the GDPR 2016/679 of April 27 2016. It involves requesting the data controller to limit the processing of data when one of the following conditions is met:
Right to data portability. It is in Article 20 of the GDPR 2016/679 of April 27, 2016. It involves requesting the data controller to provide the personal data of the data subject in a format structured, commonly used and machine-readable, in order to transmit them to another data controller when the processing is done by automated means and is based on explicit consent.
Right to object. Regulated in Article 21 of the GDPR 2016/679 of April 27 2016. It involves asking the data controller to process the data following specific instructions provided by the owner of the personal information.
Right to withdraw consent. Regulated in Article 13.2.c) of the GDPR 2016/679 of April 27, 2016. It is an order given by the data subject to the data controller notifying them that they are withdrawing the consent given to process their data.
Right not to be subject to automated individual decisions. It is the request to the data controller that all decisions with legal effects are not made solely by machines.
To exercise the above rights, you can address the data controller in writing to the address, or send an email to the address privacy@kronospan.es with the text “DATA PROTECTION” in the subject line and attaching a photocopy of your ID card, NIE or passport in that email.

-How can a complaint be made?

If you believe your rights have been violated, the competent body to assess the correct application of the rules on information processing is the Spanish Data Protection Authority, located at Calle Jorge Juan n. 6 in Madrid.

-What obligations do I have as a data subject?

The data subject must provide truthful and updated information in all data collection processes, being responsible in case of breach of this obligation. Depending on the demand made by the data subject, the mandatory data is already marked in the collection forms. Failure to provide the mandatory data could harm the right to the requested service.

-Can the data controller create profiles?

In order to provide more personalized, careful, and effective user attention, sometimes it is necessary to create profiles of service recipients. Profiles are not created without the direct intervention of a natural person.

User consent

It is understood that the user accepts the proposed conditions if they press the ‘ACCEPT’ button found on the data collection forms, or if they send an email to the contact addresses listed on the website. Personal data is stored in the general administration database of the data controller which, in any case, guarantees the technical and organizational measures to preserve the integrity and security of the information it processes.

Security

The general database has the required security document and has all technical means at its disposal to prevent loss, misuse, alteration, unauthorized access, or theft of the data you provide us. The processing of personal data is adjusted to the provisions of Organic Law 3/2018 on data protection and digital rights guarantee and Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016.

Use of IP addresses

To facilitate the search for resources that we believe are of interest to you, you may find on this website links to other pages. This privacy policy only applies to this website. The data controller does not guarantee compliance with these rules on other websites, nor is responsible for access through links from this site.